From 11f5a75425c1e6c2e6d5e48671172cabf8cc84e4 Mon Sep 17 00:00:00 2001
From: Hua Liu <58683130+liuh-80@users.noreply.github.com>
Date: Sat, 23 Sep 2023 15:07:53 +0800
Subject: [PATCH] [tacacs]: Fix tcpdump report error when tacacs enabled
 (#16372)

Fix tcpdump report error when tacacs enabled.

Why I did it
Fix tcpdump report error when tacacs enabled:
Sep 1 09:25:18.189395 vlab-01 ERR tcpdump: nss_tacplus: /etc/tacplus_nss.conf fopen failed
Sep 1 09:25:18.189606 vlab-01 ERR tcpdump: nss_tacplus: bad config or server line for nss_tacplus

This is because debian add a patch create AppArmor profile for resource access control. The profile need update to allow tcpdump access /etc/tacplus_nss.conf.

Work item tracking
Microsoft ADO: 17667308

How I did it
Modify tcpdump AppArmor profile, add new line to allow tcpdump access TACACS config file:

/etc/tacplus_nss.conf r,
---
 build_debian.sh                | 4 ++++
 files/apparmor/usr.bin.tcpdump | 2 ++
 2 files changed, 6 insertions(+)
 create mode 100644 files/apparmor/usr.bin.tcpdump

diff --git a/build_debian.sh b/build_debian.sh
index 34fcd84e0d..a8c44b32cb 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -407,6 +407,10 @@ LogsDirectory=audit
 LogsDirectoryMode=0750
 EOF
 
+# latest tcpdump control resource access with AppArmor.
+# override tcpdump profile to allow tcpdump access TACACS config file.
+sudo cp files/apparmor/usr.bin.tcpdump $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.bin.tcpdump
+
 if [[ $CONFIGURED_ARCH == amd64 ]]; then
 ## Pre-install the fundamental packages for amd64 (x86)
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install      \
diff --git a/files/apparmor/usr.bin.tcpdump b/files/apparmor/usr.bin.tcpdump
new file mode 100644
index 0000000000..353b360bb7
--- /dev/null
+++ b/files/apparmor/usr.bin.tcpdump
@@ -0,0 +1,2 @@
+# tcpdump will call getpwnam get current user information, the NSS plugin nss_tacplus hook this API and need access tacacs config file.
+/etc/tacplus_nss.conf r,
\ No newline at end of file